CryptoLocker

Discussion in 'malware problems & news' started by DX2, Sep 10, 2013.

  1. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    is there a short tutorial how set it to default?

    thanks GrafZeppelin
     
  2. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    The CryptoPrevent application has a field to add programs that might be need to be whitelisted. It already comes with known programs whitelisted but you can add others as you see fit. :thumb:
     
  3. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    Yup. Or Bit Dender Anti-CryptoLocker. These keep out the trojan ransomware in different ways and they complement each other. The former sets policy restrictions on what can run in data folders and the latter looks for suspicious processes that might attempt to run there and blocks/terminates them before they can execute. :thumb:
     
  4. tomazyk

    tomazyk Guest

    Here is the tutorial that I use when I set up my SRP: http://www.mechbgon.com/srp/
     
  5. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    thanks Tomazyk

    do you think i can do the same with eset hips?
     
  6. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Anyone using CryptoPrevent on a XP SP3 machine? Any problems or conflicts?
     
  7. tomazyk

    tomazyk Guest

    Yes, similar can be achieved by putting Eset's HIPS in interactive mode. In that case Eset will monitor program executions and alert you of new, unknown processes.
     
  8. Dragon1952

    Dragon1952 Registered Member

    Joined:
    Sep 16, 2012
    Posts:
    2,468
    Location:
    Hollow Earth - Telos
    http://blog.opendns.com/2013/12/16/wrap-containing-cryptolocker-webcast/
     
    Last edited by a moderator: Jan 2, 2014
  9. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    CryptoLocker creeps lure victims with fake Adobe, Microsoft activation codes.
    http://www.theregister.co.uk/2014/01/02/cryptolocker_worm/
     
  10. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
  11. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    hi
    how can make a rule like this?
    eset does alert to every processes and not only about new and unknown processes

    thanks
     
  12. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  13. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,166
    hi

    i read the tutorial _http://www.mechbgon.com/srp/

    for me it's just a bit confusing
    may i know which folders should i block?
     
  14. guest

    guest Guest

    If you want to go with blacklisting method, see here:
    https://www.wilderssecurity.com/showpost.php?p=2321701&postcount=68

    Mechbgon's guide is whitelisting/default-deny mode, which I consider to be more secure and easier to configure. Basically, if you don't install apps in custom folders, then it should be only two or three:
    - Windows folder
    - Program Files folder
    - Program Files (x86) folder, if you're on 64-bit

    You can get even tighter by only allowing specific apps folders, or even hash rules for certain executables. But for the hash rules, it'd be very cumbersome for day to day usage since you'll need to recreate the rules for allowed apps if you updated the software version.
     
  15. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
  16. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870

    Still targets the %AppData folder. Securing it prevents the malware from being executed there. Best practice is to scan all received files and to have Windows show file extensions, which are normally hidden by default. It goes without saying don't download attachments from any one you don't know or that you weren't expecting. :thumb:
     
  17. kriteshHDS

    kriteshHDS Registered Member

    Joined:
    Jan 27, 2014
    Posts:
    17
    Location:
    Canada
  18. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    Rollback RX is an image recovery software. CryptoLocker would be able to only overwrite all files and shadow copies on the date it was installed.

    You can revert to an earlier point in time with Rollback RX and the malware is gone and all your files should still be there before CryptoLocker encrypted them. :thumb:
     
  19. guest

    guest Guest

    I thought Rollback RX is a snapshoting software? Although it's still better than Windows' system restore, I prefer to use a real drive imaging software personally.
     
  20. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    The snapshots are backup images of your operating system that are saved to RB's MB directory. At boot, even if Windows fails to boot, you can still restore Windows from RB's boot console by selecting a date you knew it would boot. It beats having to do a reformat and reinstall. :thumb:
     
  21. Noob

    Noob Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    6,491
    Should i be worried about this? :)
     
  22. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Depends on how worried you are about the usual social engineering.
     
  23. Keatah

    Keatah Registered Member

    Joined:
    Jan 13, 2011
    Posts:
    1,029
    Rollback RX can best be thought of as a magician. Something that makes you see what you want to see. It plays sleight of hand with the sector/filemaps of a disk.

    When you make a change to the disk (like writing a file), it keeps record of the changes and assigns them to a snapshot (point in time). RBRX then "presents" the right sectors belonging to a point in time to Windows every single time disk operations are done. This can consist of "old" sectors and "new-in-a-snapshot" sectors. A map overlayed on a map.

    I believe RBRX would work in your favor against cryptolocker, though I have not personally tested it in such an environment. RBRX is really ahead of its time and not yet implemented correctly.
     
  24. NormanF

    NormanF Registered Member

    Joined:
    Feb 20, 2009
    Posts:
    2,870
    RB is a kind of a sandbox container for Windows - on another level it works like Sandboxie - only far more effectively at the boot/MBR level.

    Malware that infects the RB snapshot file exists only in that file. When you rollback to an earlier date, the malware infection is reversed like it never existed.

    Once you rollback, you can then delete the infected snapshot and poof - the malware is gone forever! Its a way of staying ahead of the evolution of malware because it provides a layer of protection Windows can't. As a result - if you do mess up Windows, you don't have to spend hours recovering from a Windows compromised by human error.

    AV is reactive, it can protect only after the fact. RB can protect before something happens by restoring Windows to its last good woring state. :thumb:
     
  25. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Can you defrag your HDD as usual with RollbackRX -- and does it use VSS (mine is not working)?
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.